Replace the permission of internal connectivity checks
A number of connectivity checks that protect system-only methods check for CONNECTIVITY_INTERNAL, but CONNECTIVITY_INTERNAL is a signature|privileged permission. We should audit the permission checks, and convert checks that protect code that should not be called outside the system to a signature permission. So replace all CONNECTIVITY_INTERNAL to other proper permissions. Bug: 32963470 Test: atest FrameworksNetTests NetworkPolicyManagerServiceTest Change-Id: I8f2dd1cd0609056494eaf612d39820e273ae093f Merged-In: I8f2dd1cd0609056494eaf612d39820e273ae093f
This commit is contained in:
paulhu
@@ -16,19 +16,18 @@
|
||||
|
||||
package com.android.server;
|
||||
|
||||
import android.content.Context;
|
||||
import android.content.ContentResolver;
|
||||
import android.content.Context;
|
||||
import android.content.Intent;
|
||||
import android.content.pm.PackageManager;
|
||||
import android.database.ContentObserver;
|
||||
import android.net.NetworkStack;
|
||||
import android.net.Uri;
|
||||
import android.net.nsd.NsdServiceInfo;
|
||||
import android.net.nsd.DnsSdTxtRecord;
|
||||
import android.net.nsd.INsdManager;
|
||||
import android.net.nsd.NsdManager;
|
||||
import android.os.Binder;
|
||||
import android.os.HandlerThread;
|
||||
import android.net.nsd.NsdServiceInfo;
|
||||
import android.os.Handler;
|
||||
import android.os.HandlerThread;
|
||||
import android.os.Message;
|
||||
import android.os.Messenger;
|
||||
import android.os.UserHandle;
|
||||
@@ -38,6 +37,12 @@ import android.util.Slog;
|
||||
import android.util.SparseArray;
|
||||
import android.util.SparseIntArray;
|
||||
|
||||
import com.android.internal.annotations.VisibleForTesting;
|
||||
import com.android.internal.util.AsyncChannel;
|
||||
import com.android.internal.util.DumpUtils;
|
||||
import com.android.internal.util.State;
|
||||
import com.android.internal.util.StateMachine;
|
||||
|
||||
import java.io.FileDescriptor;
|
||||
import java.io.PrintWriter;
|
||||
import java.net.InetAddress;
|
||||
@@ -45,13 +50,6 @@ import java.util.Arrays;
|
||||
import java.util.HashMap;
|
||||
import java.util.concurrent.CountDownLatch;
|
||||
|
||||
import com.android.internal.annotations.VisibleForTesting;
|
||||
import com.android.internal.util.AsyncChannel;
|
||||
import com.android.internal.util.DumpUtils;
|
||||
import com.android.internal.util.Protocol;
|
||||
import com.android.internal.util.State;
|
||||
import com.android.internal.util.StateMachine;
|
||||
|
||||
/**
|
||||
* Network Service Discovery Service handles remote service discovery operation requests by
|
||||
* implementing the INsdManager interface.
|
||||
@@ -565,8 +563,7 @@ public class NsdService extends INsdManager.Stub {
|
||||
}
|
||||
|
||||
public void setEnabled(boolean isEnabled) {
|
||||
mContext.enforceCallingOrSelfPermission(android.Manifest.permission.CONNECTIVITY_INTERNAL,
|
||||
"NsdService");
|
||||
NetworkStack.checkNetworkStackPermission(mContext);
|
||||
mNsdSettings.putEnabledStatus(isEnabled);
|
||||
notifyEnabled(isEnabled);
|
||||
}
|
||||
|
||||
@@ -17,7 +17,6 @@
|
||||
package com.android.server.net;
|
||||
|
||||
import static android.Manifest.permission.ACCESS_NETWORK_STATE;
|
||||
import static android.Manifest.permission.CONNECTIVITY_INTERNAL;
|
||||
import static android.Manifest.permission.READ_NETWORK_USAGE_HISTORY;
|
||||
import static android.content.Intent.ACTION_SHUTDOWN;
|
||||
import static android.content.Intent.ACTION_UID_REMOVED;
|
||||
@@ -91,6 +90,7 @@ import android.net.Network;
|
||||
import android.net.NetworkCapabilities;
|
||||
import android.net.NetworkIdentity;
|
||||
import android.net.NetworkInfo;
|
||||
import android.net.NetworkStack;
|
||||
import android.net.NetworkState;
|
||||
import android.net.NetworkStats;
|
||||
import android.net.NetworkStats.NonMonotonicObserver;
|
||||
@@ -1020,8 +1020,6 @@ public class NetworkStatsService extends INetworkStatsService.Stub {
|
||||
private BroadcastReceiver mTetherReceiver = new BroadcastReceiver() {
|
||||
@Override
|
||||
public void onReceive(Context context, Intent intent) {
|
||||
// on background handler thread, and verified CONNECTIVITY_INTERNAL
|
||||
// permission above.
|
||||
performPoll(FLAG_PERSIST_NETWORK);
|
||||
}
|
||||
};
|
||||
@@ -1095,7 +1093,7 @@ public class NetworkStatsService extends INetworkStatsService.Stub {
|
||||
@Override
|
||||
public void limitReached(String limitName, String iface) {
|
||||
// only someone like NMS should be calling us
|
||||
mContext.enforceCallingOrSelfPermission(CONNECTIVITY_INTERNAL, TAG);
|
||||
NetworkStack.checkNetworkStackPermission(mContext);
|
||||
|
||||
if (LIMIT_GLOBAL_ALERT.equals(limitName)) {
|
||||
// kick off background poll to collect network stats unless there is already
|
||||
|
||||
Reference in New Issue
Block a user